Why the 2022 Revision Matters
ISO 27001 is the international standard for information security management systems (ISMS). The 2022 revision represents the most significant update since the standard's 2013 publication, reflecting nearly a decade of evolution in the cyber threat landscape, cloud computing adoption, privacy regulation, and organizational approaches to information security.
The transition is not optional. Organizations certified under ISO 27001:2013 must transition to the 2022 version by the established deadline — typically within a three-year window from the revision's publication date. After this date, ISO 27001:2013 certifications will no longer be valid.
What Has Changed
Restructured Annex A Controls
The most visible change is the restructuring of Annex A controls. The 2013 version contained 114 controls organized across 14 domains. The 2022 revision consolidates these into 93 controls across four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls).
This reorganization is more than cosmetic. It reflects a more practical approach to how organizations actually implement security controls, grouping them by the type of action required rather than by abstract security domains.
New Controls for Contemporary Threats
The revision introduces 11 entirely new controls that address gaps in the 2013 framework:
Threat intelligence (5.7) — Organizations must establish processes for collecting, analysing, and acting on threat intelligence relevant to their operations.
Information security for cloud services (5.23) — A dedicated control for managing security in cloud environments, reflecting the ubiquity of cloud adoption.
ICT readiness for business continuity (5.30) — Strengthening the link between information security and business continuity planning.
Physical security monitoring (7.4) — Requirements for surveillance and monitoring of physical premises to prevent unauthorized access.
Configuration management (8.9) — Formal requirements for managing the configuration of hardware, software, and network components.
Information deletion (8.10) — Controls for the secure deletion of information when it is no longer required, aligning with privacy regulations such as GDPR.
Data masking (8.11) — Requirements for protecting sensitive data through masking techniques in non-production environments.
Data leakage prevention (8.12) — Controls to detect and prevent unauthorized disclosure of sensitive information.
Monitoring activities (8.16) — Expanded requirements for monitoring networks, systems, and applications for anomalous behaviour.
Web filtering (8.23) — Controls for managing access to external websites to reduce exposure to malicious content.
Secure coding (8.28) — Requirements for applying secure coding principles in software development.
Attribute-Based Classification
Each control now carries a set of attributes — control type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability), cybersecurity concepts, operational capabilities, and security domains. This attribute system enables organizations to create custom views of their control framework aligned with their specific risk profile and operational context.
Managing the Transition
A well-managed transition follows a structured sequence:
Gap analysis. Map your current ISMS against the 2022 requirements. Identify which new controls are applicable to your organization and where existing controls need updating.
Statement of Applicability (SoA) update. Your SoA must be revised to reflect the new control structure. This is often the most time-consuming element of the transition, as it requires a thorough review of each control's applicability and implementation status.
Risk assessment refresh. The new controls may introduce risks that were not previously assessed. Update your risk register to account for the expanded control set.
Documentation and evidence. Update your ISMS documentation to reference the 2022 control numbering and structure. Ensure that evidence of control implementation is current and accessible for the transition audit.
Internal audit. Conduct a full internal audit against the 2022 requirements before your transition audit with the certification body.
Certification body coordination. Engage your certification body early to schedule the transition audit and clarify their specific expectations for demonstrating conformity.
The ECHOS Advantage
ECHOS provides end-to-end transition management for ISO 27001:2022. Our Regulatory Shield model means we handle the gap analysis, SoA revision, documentation updates, internal audit, and certification body liaison — while your security team continues to focus on protecting your organization.
For financial services organizations, where ISO 27001 certification is increasingly a regulatory expectation and a client requirement, a smooth transition is not just a compliance exercise — it is a business continuity imperative.
Next Step: Request a complimentary ISO 27001:2022 transition readiness assessment from the ECHOS Regulatory Shield team. We will provide a clear gap analysis and a realistic transition timeline tailored to your organization.